Most modern automobiles operate via the correct functioning of various components (e.g., discrete electronic control units (ECUs), sensors, and/or actuators) that communicate over one or more in-vehicle automobile networks (e.g., Controller Area Networks (CANS) and FlexRay Networks). Traditional automobile networks have been multicast networks, and traditional automobile-network messages have generally not included source or destination addresses. Instead of using source or destination addresses, transmitting components have generally used unique identifiers to label the automobile-network messages that they broadcast and to provide meaning to the data that the messages contain. In a typical automobile, many diverse systems share and communicate over the same automobile network. As a result, conversations (e.g., request-response message transactions) among components of one system may appear on an automobile network randomly interleaved with conversations among components of other systems. As such, each component that is connected to a traditional automobile network will generally (1) receive each automobile-network message that is broadcast over the automobile network and (2) be required to decide whether to act upon or ignore the received messages based on the messages' identifiers.
Traditionally, automobile-network components have been designed to trust the automobile-network messages that they receive. However in recent years, researchers and malicious attackers have begun to find various ways to cause an automobile to perform unexpected and/or undesired actions by (1) connecting to the automobile's automobile networks (e.g., via a diagnostic port located under the dash of the automobile or a compromised automobile-network component that has wireless communication capabilities) and by broadcasting malicious automobile-network messages over the automobile network. For example, by broadcasting malicious automobile-network messages over an automobile's automobile network, an attacker may be able to cause the automobile to misreport its speed, apply its brakes, turn its steering wheel, or even shut down.
Anomaly detection is a traditional method for detecting malicious messages within a network. Traditional anomaly-detection systems will often use baselines of normal message sequences to detect when abnormal (e.g., malicious) message sequences are present on a network. Unfortunately, the task of determining baselines for normal message sequences in automobile networks has traditionally been difficult since automobile-network messages traditionally do not include source or destination addresses and request-response message transactions of components of one system are typically randomly interleaved with request-response message transactions of components of other systems. Moreover, the identifiers used to label automobile messages may be unique to some automobile networks. For example, some automobile-network identifiers may be assigned uniquely for each vehicle, for each model year, and/or for different variants of the same vehicle in the same model year. Furthermore, many automobile manufactures do not disclose their assignments of automobile-network identifiers. The instant disclosure, therefore, identifies and addresses a need for improved systems and methods for detecting transactional message sequences that are obscured in multicast communications.